is there a yarn alternative for npm audit?
Asked Answered
G

12

133

need pinned resolution feature of yarn, but also want to audit with npm audit? Is there a yarn alternative to npm audit? Or, alternately, will pinning resolutions of dependencies of dependencies work in npm?

Gotten answered 7/8, 2018 at 17:33 Comment(3)
check it out my post alfilatov.com/posts/…Psalmody
You might want to change the accepted answer as the situation has changed.Daukas
the current accepted answer is to just use yarn nowGotten
W
89

yarn audit / yarn install --audit has been available since [email protected]

https://github.com/yarnpkg/yarn/releases/tag/v1.12.0

Unfortunately no --fix option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix

Westland answered 8/10, 2018 at 7:37 Comment(2)
If you are seeing Command "audit" not found upgrade your yarn install. npm install --global yarn npm upgrade --global yarnMccurry
There currently is no "fix" option of yarn audit, as you would with npm audit fix. Follow issue here: github.com/yarnpkg/yarn/issues/7075Lamellicorn
W
218

Yarn doesn't have npm audit fix.

But here's how to do it by using npm – temporarily.

  1. Generate a package-lock.json file without installing node modules
npm i --package-lock-only
  1. Fix the packages and update the package-lock.json file
npm audit fix
  1. Delete the yarn.lock file and convert package-lock.json file into yarn.lock
rm yarn.lock
yarn import
  1. Delete the package-lock.json file
rm package-lock.json

For example:

yarn audit

38363 vulnerabilities found - Packages audited: 908342
Severity: 38352 Low | 11 Moderate

(I know. react-scripts is crazy...)

npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm i --package-lock-only

...
added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s
found 495 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix

...
added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s

50 packages are looking for funding
  run `npm fund` for details

fixed 211 of 495 vulnerabilities in 913793 scanned packages
  284 vulnerabilities required manual review and could not be updated
git status -s

?? package-lock.json
yarn import

yarn import v1.21.1
info found npm package-lock.json, converting to yarn.lock
...
success Saved lockfile.
✨  Done in 25.61s
rm package-lock.json
Wordbook answered 27/3, 2020 at 0:2 Comment(3)
Seems that yarn import doesn't work when using a monorepo which refers to other local packages. It looks like it trying the fetch the packages from the npm registry. Any tips to make this works?Asphaltite
This package npmjs.com/package/yarn-audit-fix is based on the above answer turning it into a single command yarn-audit-fix, so it should simplify the above for you.Ranket
To me, it looks like for yarn 3, yarn upgrade-interactive is an alternative (though it does not limit itself to only security updates!)Antibiotic
W
89

yarn audit / yarn install --audit has been available since [email protected]

https://github.com/yarnpkg/yarn/releases/tag/v1.12.0

Unfortunately no --fix option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix

Westland answered 8/10, 2018 at 7:37 Comment(2)
If you are seeing Command "audit" not found upgrade your yarn install. npm install --global yarn npm upgrade --global yarnMccurry
There currently is no "fix" option of yarn audit, as you would with npm audit fix. Follow issue here: github.com/yarnpkg/yarn/issues/7075Lamellicorn
W
15

Yes, you can use yarn audit to audit for vulnerability but you can't fix the Vulnerabilities by using yarn audit fix as you can do in npm audit fix.

To fix the Vulnerabilities in yarn.lock file you have to reinstall the package(which is carrying the Vulnerability) to its newer version by using yarn add package_name

you can read the issue here => https://github.com/yarnpkg/yarn/issues/7075

Whiffet answered 6/8, 2019 at 6:49 Comment(1)
that thread was locked a new one should be created. they aren't taking this seriously.Nicolella
S
12

I thinks that it's not ready on yarn. You can refer to the following issue. https://github.com/yarnpkg/yarn/issues/5808

Singultus answered 9/8, 2018 at 8:6 Comment(2)
what about an accepted 3rd party replacement in the meantime?Gotten
alfilatov.com/posts/…Psalmody
D
8

1st

Always use source control and check in your package.json as well as your yarn.lock and/or package-lock.json first and start with all committed files, so you can roll back if needed with ease.

How about a solution that does not add dependencies to your project (nor installing a third party library)?

yarn outdated         # view
yarn audit            # view 
yarn install --audit  # install

Prefer an interactive way to upgrade selectively with ease?

yarn upgrade-interactive

That might do all you require.

Oddly, you might find with a yarn audit following that command you still have some vulnerabilities not mentioned from the command yarn upgrade-interactive. In this case I'd first consider this:

yarn upgrade-interactive --latest

where that can be found

Still not quite good enough? ``` yarn upgrade --latest ```

I've seen a lot of other potential solutions, previously I'd just switch to npm from yarn temporarily as some users have suggested, then switch back to yarn. This has worked fine for me too. (Though annoying and not elegant)

There are packages out there that don't require install to run. I haven't tried this one, it might be good too:

npm_config_yes=true npx yarn-audit-fix

ref

The key here is you are using npx to avoid installing as a dependency.

Many more solutions are possible. npm and yarn both are package managers, dependency management is a very difficult thing to do, automagically fixing these dependencies will always be a difficult problem to solve. Thus I recommend a little research on how they are actually solving these problems if you have the time. You might find yourself not liking how they do things.

Ultimately, as long as you can roll back you can try a lot of these out and see for yourself. Some packages severity might not need fixing, sometimes libraries do not have solutions available yet, then you need to consider removing their usage in your codebase. In theory, less is more, less dependency on libraries, which use libraries, which use libraries.... becomes a much smaller surface for attackers to target. Also, it's not advisable to use libraries from untrusted sources, npm, yarn and more cannot know everything, nor right away, so keep that in consideration too.

Damages answered 7/7, 2021 at 18:48 Comment(0)
C
8

I created a script command into the package.json file to fix it. It creates a copy of yarn.lock as package-lock.json, removes the issues and then re-creates yarn.lock.

"resolve:security": "npm i --package-lock-only && npm audit fix && rm yarn.lock && yarn import && rm package-lock.json",

I hope it helps :)

Cinerary answered 10/7, 2022 at 19:8 Comment(0)
D
4

do a yarn audit and find the package(s) with vulnerabilities,

if they are in your package.json file

  • fix their version from there

else

  • they are dependencies of your packages so add this to package.json file
"resolutions": {
    "**/package-name": "known-good-version",
    "**/**/package-name": "known-good-version"
 }
Diminution answered 27/3, 2020 at 7:14 Comment(0)
M
3

You can use yarn audit as mentioned in the other answers, however, there is a different way to solve them...

You will need to add the resolution instruction to specify the version of the library that the vunerability was solved and the path of the dependency (because the library can be a dependency of another dependency, for example:

Considering part of some package.json below

{
  "name": "project",
  "version": "1.0.0",
  "dependencies": {
    "left-pad": "1.0.0",
    "c": "file:../c-1",
    "d2": "file:../d2-1"
  },
  "resolutions": {
    "d2/left-pad": "1.1.1",
    "c/**/left-pad": "^1.1.2"
  }
}

More details can be checked directly in the documentation: Doc

Mireielle answered 23/12, 2019 at 2:32 Comment(0)
S
3

Yarn also has yarn audit mechanism, but it doesn't have yarn audit fix mechanism. So in most cases you have to fix these issues manually. This is how it works. For example we'll demonstrate it using minimist package:

  • Add a resolutions key in your package.json file:
  1. Adding dependency(say minimist) directly as key value .This resolution will override minimist entirely in your project.
{
  "resolutions": {
    "minimist": "^1.2.5"
  }
}
  1. In most cases, there can be multiple dependencies in a project that use the same secondary dependency, however, they might use different versions of those dependencies. Thankfully, yarn/npm allows us to have selective dependency resolutions.

The format to define resolutions is the following:

/* package.json */
{
  "resolutions": {
    "<package>/**/<dependency>": "<version>"
  }
}

Let’s say for example, we have a dependency A and B and both of them depend upon another dependency C.

Then our resolutions field would look like:

/* package.json */
{
  "resolutions": {
    "A/**/C": "2.0.3", // A works fine with the latest version of C
    "B/**/C": "1.9.0" // latest stable version for C for dependency B
  }
}

Let's further see how it works with an example of package-merge-lodash-4 package. If audit says that [email protected] has vulnerabilities and suggests us to upgrade [email protected] -> 4.17.12.

We can write our json file's resolutions only for the concerned package as below:

{
  "resolutions": {
    "package-merge-lodash-4/**/lodash": "4.17.12"
  }
}
  1. How to use Selective dependency resolutions in npm?

add npm-force-resolutions to the preinstall script after you added resolutions key to package.json file, so that it patches the package-lock file before every npm install you run:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

To confirm that the right version was installed, use the below command

npm ls <vulnerable dependency>
npm ls lodash

Resources:

Studious answered 29/4, 2022 at 7:12 Comment(1)
This is very detailed, thank you. This should be the top answer.Kovrov
L
1

Yarn doesn't support the fix at the moment,

Workaround

  • create a package-lock.json file using npm.
  • fix the packages
  • remove the package-lock.json.

.

npm i --package-lock-only
npm audit fix
rm package-lock.json

and start

yarn start
Laynelayney answered 1/7, 2021 at 19:31 Comment(0)
R
1

Try using,

yarn upgrade-interactive --latest

Will install all the latest dependencies.

Rheostat answered 5/2, 2023 at 10:19 Comment(0)
M
-1

If using yarn3, you can do:

yarn npm audit
Motivate answered 31/8, 2023 at 17:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.